Efficient Byzantine Broadcast in Wireless Ad-Hoc Networks
|
|
- Bertha Lawrence
- 6 years ago
- Views:
Transcription
1 Efficient Byzantine Broadcast in Wireless Ad-Hoc Networks Vadim Drabkin Roy Friedman Marc Segal Computer Science Department Technion - Israel Institute of Technology Haifa, 32 Israel {dvadim,roy,marcs}@cs.technion.ac.il Abstract This paper presents an overlay based Byzantine tolerant broadcast protocol for wireless ad-hoc networks. The use of an overlay results in a significant reduction in the number of messages. The protocol overcomes Byzantine failures by combining digital signatures, gossiping of message signatures, and failure detectors. These ensure that messages dropped or modified by Byzantine nodes will be detected and retransmitted and that the overlay will eventually consist of enough correct processes to enable message dissemination. An appealing property of the protocol is that it only requires the existence of one correct node in each one-hop neighborhood. The paper also includes a detailed performance evaluation by simulation. Keywords: Byzantine failures, broadcast, ad-hoc networks, unreliable failure detectors. Revised version of technical report TR This research was supported by the Israeli Science Foundation and by an academic grant from Intel Inc.
2 1 Introduction Technion - Computer Science Department - Technical Report CS Context of this Study: Wireless ad-hoc networks are formed when an ad-hoc collection of devices equipped with wireless communication capabilities happen to be in proximity to each other [46]. Clearly, each pair of such devices whose distance is less than their transmission range can communicate directly with each other. Moreover, if some devices occasionally volunteer to act as forwarders, it is possible to form a multiple hop ad-hoc network. An important distinguishing element of these networks from standard networks is that they do not rely on any pre-existing infrastructure or management authority. Also, due to their ad-hoc nature and device mobility, there is no sub-netting to assist routing and data dissemination decisions. Moreover, due to mobility, the physical structure of the network is constantly evolving. Semi-reliable broadcast is a basic service for many collaborative applications as it provides nearly reliable dissemination of the same information to many recipients. It ensures that most messages will be received by most of their intended recipients. Yet, implementing semi-reliable broadcast in an efficient manner, and in particular over a wireless ad-hoc network, is far from trivial. It involves ensuring that a message is forwarded to all nodes as well as overcoming possible message losses. Unlike infrastructure based networks in which routers are usually considered to be trusted entities, in ad-hoc networks routing is performed by the devices themselves. Thus, there is a high risk that some of the nodes of an ad-hoc network will act in a Byzantine manner, or in other words, would not respect the networking protocols. This can be due to maliciousness, or simply selfishness (trying to save battery power). Thus, the possibility of having Byzantine nodes in the system motivates the development of Byzantine tolerant broadcast protocols for ad-hoc networks. The simplest way to obtain broadcast in a multiple hop network is by employing flooding [45]. That is, the sender sends the message to everyone in its transmission range. Each device that receives a message for the first time delivers it to the application and also forwards it to all other devices in its range. While this form of dissemination is very robust, it is also very wasteful and may cause a large number of collisions. Hence, many multicast/broadcast protocols maintain an overlay, which can be thought of as a logical topology superimposed over the physical one, e.g., [25, 4, 47, 48]. The overlay typically covers all nodes, yet each node has a limited number of neighbors. Given an overlay, broadcast messages are flooded only along the arcs of the overlay, thereby reducing the number of messages sent as well as the number of collisions. The overlay composition and structure may be determined by either deterministic or probabilistic methods, and they can change dynamically over time. On the other hand, having an efficient overlay reduces the robustness of the broadcast protocol against failures, and in particular against Byzantine behavior of overlay nodes. One way around this is to maintain f + 1 node independent overlays, where f is the assumed maximal number of Byzantine devices, and flood each message along each of these overlays, guaranteeing that each message will eventually arrive despite possible Byzantine nodes [15, 34, 36]. Of course, the price paid by this approach is that every message has to be sent f + 1 times even if in practice none of the devices suffered from a Byzantine fault. In this paper we propose an approach that reduces this overhead to a single overlay when there are no Byzantine failures. Contribution of this Work: This paper presents an efficient Byzantine tolerant broadcast protocol for wireless ad-hoc networks. The protocol is based on the following principles: The protocol employs an overlay on which messages are disseminated. In parallel, signatures about these messages are being gossiped by all nodes in the system in an unstructured manner. This allows all nodes to learn about the existence of a message even if some of the overlay nodes fail to forward them, e.g., if they are Byzantine or due to 1
3 collisions. When a node learns about a message it is missing, it requests the missing message from another node that has it. The benefit of this approach comes from the fact that message signatures are typically much smaller than the messages themselves. Moreover, as gossips are sent periodically, multiple gossip messages are aggregated into one packet, thereby greatly reducing the number of messages generated by the protocol. Additionally, the protocol employs several failure detectors in order to eliminate from the overlay nodes that act a noticeable Byzantine manner. Specifically, we rely on a mute failure detector, a verbose failure detector, and a trust failure detector. The mute failure detector detects when a process has failed to send a message with an expected header [17, 18]. The verbose failure detector detects when a node sends messages too often. Finally, the trust failure detector reports suspicions of a faulty behavior of nodes based on the other two failure detectors and the history of nodes. 1 An interesting property of the failure detectors we use is that they only detect benign failures, such as a failure to send a message with an expected header, sending too many messages, or trying to forge a signed message. They do not detect, for example, sending messages with inconsistent data, or sending messages with different data to different processes. Thus, their properties can be detected locally and they can be implemented in an eventually synchronous environment, such as the timed-asynchronous model [16], regardless of the ratio between the number of Byzantine processes and the entire set of processes. Interestingly, combining this with signatures on messages is enough to overcome Byzantine failures. An important aspect of our failure detector based approach is its modularity, as they encapsulate timing requirements behind a timeless functional specification. The use of failure detectors greatly simplifies the protocol s structure and enables us to present it with an asynchronous design. This is often considered more elegant and robust than synchronous alternatives, in which timing assumptions are explicit. The result is a protocol that sends a small number of messages when all nodes behave correctly most of the time. The paper also includes a detailed performance evaluation of this protocol carried out by simulation. In these simulations, we investigate the behavior of the protocol both in failure free runs and when some nodes experience mute failures, as these failures seem to have the most adverse impact on the protocol s performance. Paper s road-map: The model and basic definitions and assumptions are described in Section 2. Section 3 describes the protocol and its proof of correctness. The results of the performance evaluation are given in Section 4. Section 5 compares our work with related work. We conclude with a discussion in Section 6. 2 System Model and Definitions In this work we focus on wireless mobile systems. Specifically, we assume a collection of nodes placed in a given finite size area. A node in the system is a device owning an omni-directional antenna that enables wireless communication. A transmission of a node p can be received by all nodes within a disk centered on p whose radius depends on the transmission power, referred to in the following as the transmission disk; the radius of the transmission disk is called the transmission range. The combination of the nodes and the transitive closure of their transmission disks forms a wireless ad-hoc network. 2 1 Notice that standard definitions of failure detectors require some properties to hold forever. However, this can be bounded along the lines of [24]. 2 In practice, the transmission range does not behave exactly as a disk due to various physical phenomena. However, for the description of the protocol it does not matter, and on the other hand, a disk assumption greatly simplifies the formal model. At any event, our simulation results are carried on a simulator that simulates a real transmission range behavior including distortions, background noise, etc. 2
4 We denote the transmission range of device p by r p. This means that a node q can only receive messages sent by p if the distance between p and q is smaller than r p. A node q is a direct neighbor of another node p if q is located within the transmission disk of p. In the following, N(1, p) refers to the set of direct neighbors of a node p and N(k, p) refers to the transitive closure with length k of N(1, p). By considering N(1, p) as a relation (defining the set N(1, p)), we say that a node p has a path to a node q if q appears in the transitive closure of the N(1, p) relation. As nodes can physically move, there is no guarantee that a neighbor q of p at time t will remain in the transmission disk of p at a later time t > t. Additionally, messages can be lost. For example, if two nodes p and q transmit a message at the same time, then if there exists a node r that is a direct neighbor of both, then r will not receive either message, in which case we say that there was a collision. Yet, we assume that a message is delivered with positive probability. Each device p holds a private key k p, known only to itself, with which p can digitally sign every message it sends [44]. It is also assumed that each device can obtain the public key of every other device, and can thus authenticate the sender of any signed message. Finally, we assume an abstract entity called an overlay, which is simply a collection of nodes. Nodes that belong to the overlay are called overlay nodes. Nodes that do not belong to the overlay are called non-overlay nodes. In the following, OVERLAY refers to the set of nodes that belong to the overlay and OL(1, p) N(1, p) OVERLAY (the neighbors of p that belong to the overlay). Later in this paper we give examples of a couple of known overlay maintenance protocols that we adapted to our environment. 2.1 Byzantine Failures Up to f out of the total of n nodes in the system may be Byzantine, meaning that they can arbitrarily deviate from their protocol. In particular, Byzantine processes may fail to send messages, send too many messages, send messages with false information, or send messages with different data to different nodes. We also assume that correct and Byzantine processes are spread such that the transitive closure of the transmission disks of correct nodes form a connected graph (clearly, without this assumption, it is impossible to ensure dissemination of messages to all correct nodes). In Section 3.4 we refine this requirement. Yet, a node cannot impersonate another node, which is achieved using digital signatures [44]. 3 Nodes that follow their protocol are called correct. If a node is correct, then it is presumed to be correct throughout the execution of the protocol. A node p that sends a message m is called the originator of m. We denote sig(m) to be the cryptographic signature of a message m. 2.2 Failure Detectors and Nodes Architecture As already mentioned in the Introduction, we assume that each node is equipped with three types of failure detectors, MUTE, VERBOSE, and TRUST (see also illustration in Figure 1). In this work we assume that each message has a header part and a data part. The header part can be anticipated based on local information only while the data part cannot. For example, the type of a message (application data, gossip, request for retransmission, etc.), the id of the originator, and a sequence number of the message are part of the header. On the other hand, the information that the application level intended to send, or the actual gossiped information, is part of the data. Based on this, we define a mute failure as failure to send a message with an expected header w.r.t. the protocol. Similarly, a verbose failure is sending messages too often w.r.t. the protocol. Note that both 3 In the implementation of our protocol we use the DSA protocol [44]. For brevity, we do not repeat a discussion about the infrastructure required for this, as this is can be found in many papers and text-books on the use of cryptography. 3
5 appl Technion - Computer Science Department - Technical Report CS VERBOSE TRUST overlay MUTE network multicast FD interceptor Figure 1: Node Architecture types of failures can be detected accurately in a synchronous system based on local knowledge only. This is because in synchronous systems each message has a known bounded deadline, so it is possible to tell that a message is missing. Similarly, it is possible to accurately measure the rate of messages received and verify that it is below an agreed upon threshold. Obtaining synchronous communication in ad-hoc networks with standard hardware and operating systems is extremely difficult. On the other hand, observations of communication networks indicate that they tend to behave in a timely manner for large fractions of the time. This is captured by the notion of the class P mute of failure detectors [5, 17, 18, 23]. Such failure detectors are assumed to eventually (i.e., during periods of timely network behavior) detect mute failures accurately. In this eventuality, all nodes that suffer a mute failure are suspected (known as completeness) and only such nodes are suspected (known as accuracy). This approach has the benefit that all synchrony assumptions are encapsulated behind the functional specification of the failure detector (i.e., its ability to eventually detect mute failures in an accurate manner). This also frees protocols that are based on such failure detectors from the implementation details related to timers and timeouts, thus making them both more general and more robust. In a similar manner to P mute, we define P verbose as a class of failure detectors that eventually reliably detect verbose failure. We assume that the failure detector MUTE is in the class P mute while VERBOSE is in the class P verbose. The TRUST failure detector collects the reports of MUTE and VERBOSE, as well as detections of messages with bad signatures and other locally observable deviations from the protocol. In return, TRUST maintains a trust level for each neighboring node. This information is fed into the overlay, as illustrated in Figure 1. As we describe later in the paper, the information obtained from TRUST is used to ensure that there are enough correct nodes in the overlay so that the correct nodes of the overlay form a connected graph and that each correct node is within the transmission disk of an overlay node that does not exhibit detectable Byzantine behavior. Interval Failure Detectors Since the specification of P failure detectors require the accuracy property to hold from some point on forever, they are not practical in a real long running system. Hence, we present a new type of failure detectors called Interval failure detector. We define I mute as the class of failure detectors that detect mute failures that occur during special intervals called mute intervals for the duration of an interval called suspicion interval. Byzantine Broadcast Mechanism 4
6 Formally, the I mute failure detector is defined by two properties: Technion - Computer Science Department - Technical Report CS Interval Strong Accuracy: Non-mute processes are not suspected by any other correct process during a certain interval that we call suspicion free interval. Interval Local Completeness: Every process p that suffers a mute failure with respect to a correct process q during a mute interval is suspected by q during a suspicion interval. In a similar manner to I mute, we define I verbose as a class of failure detectors that detect verbose failure. In Section 3.4 we show that if the failure detector belongs to an interval failure detector class, then during periods of good connectivity messages will be disseminated fast (i.e., via the overlay nodes). 2.3 The Broadcast Problem Intuitively, the broadcast problem states that a message sent by a correct node should usually be delivered to all correct nodes. We capture this by the eventual dissemination and the validity properties. Eventual dissemination specifies the ability of a protocol to disseminate a message to all the nodes in the system. Validity specifies that when a correct node accepts a message, then this message was indeed generated by the claimed originator. Formally, we assume a primitive broadcast(p, m) that can be invoked by a node p in order to disseminate a message m to all other nodes in the system, and a primitive accept(p,q,m) in which a message claimed to be originated by q is accepted at a node p. Eventual dissemination: If a correct node p invokes broadcast(p, ) infinitely often, then eventually every correct node q invokes accept(q,p, ) infinitely often. 4 Validity: If a correct node q invokes accept(p,q,m) and p is correct, then indeed q invoked broadcast(p,m) beforehand. Moreover, for the same message m, a correct node p can only invoke accept(p,q,m) once. 3 The Dissemination Protocol As indicated in the Introduction, our protocol includes three concurrent tasks. First, messages are disseminated over the overlay by the overlay nodes. Second, signatures about sent messages are gossiped among all nodes in the system. This allows all nodes to learn about the existence of messages they did not receive either due to collisions or due to a Byzantine behavior by an overlay node. When a node p discovers that it misses a message following a gossip it heard from q, then p requests the missing message from q as well as from its overlay neighbors. The third and final task is the maintenance of the overlay, whose goal is to ensure that the evolving overlay indeed disseminates messages to all correct nodes. Note that the dissemination and recovery tasks are independent of the overlay maintenance. At any event, for performance reasons, most overlay maintenance messages can be piggybacked on gossip messages. As the protocol and overlay rely on failure detectors, we first describe the interface to these failure detectors in Figure 2 and in Section 3.1. The pseudo-code of the main protocol appears in Figures 3 and 4 and is described in detail in Section 3.2. These figures use two primitives. The primitive broadcast denotes a broadcast of a message with a given TTL value, i.e., it reaches through flooding all nodes in the 4 Clearly, with this property it is possible to implement a reliable delivery mechanism. In order to bound the buffers used by such a mechanism, it is common to use flow control mechanisms. 5
7 MUTE expect(message header,set of nodes,one or all) This method notifies the MUTE failure detector about an expected message. It accepts as parameters the expected message header, the set of nodes that are supposed to send the message, and a one or all indication. The latter parameters indicates if ALL nodes are assumed to send the message or only ONE of them. VERBOSE indict(node id) This method indicts a node with node id for being too verbose It causes the VERBOSE failure detector to increment the suspicion level of node id. TRUST suspect(node id,suspicion reason) This method notifies the TRUST failure detectors that the level of trust of node node id should be reduced based on the provided suspicion reason. Figure 2: Failure Detectors Interface corresponding hop distance from the sender. The primitive lazycast initiates periodic broadcasting of the given message only to the immediate neighbors of the sender. The overlay maintenance is described in Section Interfacing with the Failure Detectors Recall that the goal of the MUTE failure detector is to detect when a process fails to send a message with a header it is supposed to. To notify this failure detector about such messages, its interface includes one method called expect (see Figures 1 and 2). This method accepts as parameters a message header to look for, a set of nodes that are supposed to send this message, and an indication if all of these nodes must send the message or only one of them is enough. Note that the header passed to this method can include wildcards as well as exact values for each of the header s fields. In this paper we do not focus on how such a failure detector is implemented. Intuitively, a simple implementation consists of setting a timeout for each message reported to the failure detector with the expect method. When the timer times out, the corresponding nodes that failed to send anticipated messages are suspected for a certain period of time (see discussion in [17, 18]). The goal of the VERBOSE failure detector is to detect verbose nodes. Such nodes try to overload the system by sending too many messages that may cause other nodes to react with messages of their own, thereby degrading the performance of the system. Detecting such nodes is therefore useful in order to allow nodes to stop reacting to messages from these nodes. Similarly to MUTE, the VERBOSE failure detector also gets hints from the broadcast protocol about what would constitute a verbose fault. For this, the interface of VERBOSE exports one method called indict. This method simply indicts a process that has sent too many messages of a certain type. Practically, we assume that VERBOSE maintains a counter for each node that was listed in any invocation of its method. The counter is incremented on each such event, and after a given threshold, the node is considered to be a suspect. VERBOSE also includes a method that allows to specify general requirements about the minimal spacing between consecutive arrivals of messages of the same type. Such a method is typically invoked at initialization time. As it it is not directly accessed by our protocol s code, we do not 6
8 discuss it any further. In order to recover from mistakes, both the MUTE and the VERBOSE failure detectors employ an aging mechanism. That is, the suspicion counters for each node are periodically decremented. Finally, the TRUST failure detector maintains a trust level for every node known to it. TRUST suspects a node q if q is suspected by either the MUTE failure detector or the VERBOSE failure detector, or if the suspect method has been invoked for q. 3.2 The Main Protocol The Dissemination Task in Detail Dissemination consists of the following steps (described from the point of view of a node p): (1) The originator p of a message m sends m sig(m) to all nodes in N(1, p). The header part of m includes a sequence number and the identifier of the originator. (2) The originator p of m then gossips sig(m) to all nodes in N(1, p). (3) When a node p receives a message m for the first time, p first verifies that sig(m) matches m. If it does, then p accepts m. If the node that sent m is not an originator of m and is not in OL(1, p), p instructs its MUTE failure detector to expect a transmission of m by any of its overlay neighbors. Moreover, if p is also an overlay node, then p forwards m to all nodes in N(1, p). However, if m does not fit sig(m), then m is ignored and the process that sent it is suspected by the TRUST failure detector. (4) If a node p receives a message m it has already received beforehand, then m is ignored Gossiping and Message Recovery in Detail Intuitively, the idea here is that nodes gossip about messages they received (or sent) to all their neighbors. This way, if a node hears a gossip about a message that it has never received, it can explicitly ask the message both from its overlay neighbor and from the node from which it received the gossip. If any of the contacted nodes has the message, it forwards it to the requesting node. Messages can be purged either after a timeout, or by using a stability detection mechanism. In this work, we have chosen to use timeout based purging due to its simplicity. Additionally, there are several mechanisms in place to overcome Byzantine failures (in addition to signatures that detect impersonations). In order to prevent a Byzantine overlay node from blocking the dissemination of a message, searching a missing message can be initiated by limited flooding with TTL=2, which ensures that the recovery request will reach beyond a single Byzantine overlay node. This, in addition to requesting the message from the process that gossiped about its existence. Also, when a node feels that it has received a request for a missing message too often, or that such a request is unjustified, it notifies its VERBOSE failure detector about it. More accurately, the gossiping and message recovery task is composed of the following subtasks: 1. When a node p receives a gossip header(m) for a message m it has already received before, then p gossips header(m) to other nodes in N(1, p). Otherwise, p ignores such gossips. In particular, p only gossips about messages it has already received and does not forward gossips about messages it has not receive yet. This is done in order to make the recovery process more efficient, and in order to help detect mute failures more accurately. 5 5 It is possible to piggyback the first gossip of a message by the sender and by overlay nodes on the actual message. This saves one message and makes the recovery of messages a bit faster, since gossips about messages advance slightly faster this way. For clarity of presentation, we separate these two types of messages in the pseudo-code. 7
9 Upon send(msg) by application do (1 )message := msg id node id msg sig(msg id node id msg); (2 )gossip message := msg id node id sig(msg id node id); (3 )broadcast(message,data,ttl=1); (4 )lazycast(gossip message,gossip,ttl=1); Upon receive(message,data,ttl) sent by p j do (5 ) if (have not received this message before) then (6 ) if (authenticate-signature(message) = TRUE) then (7 ) Accept(p i,p j,message) /* forward it to the application */; (8 ) if (p j / OV ERLAY and p j is not originator of message) then (9 ) /* The correct message was received (but not from the overlay node) */ (1 ) MUTE.expect(message.header,OL(1,current node),any); (11 ) endif; (12 ) if (current node OV ERLAY ) then (13 ) broadcast(message,data,1); (14 ) else /* the message is correct and I am not in the overlay */; (15 ) if (ttl = 2) then (16 ) broadcast(message,data,ttl-1); (17 ) endif; (18 ) endif; (19 ) if (already received a gossip message about message before) then (2 ) lazycast(gossip message,gossip,ttl=1); (21 ) endif; (22 ) else/* the message is not correct */; (23 ) TRUST.suspect(p j, bad signature reason ); /* notify the trust failure detector */ (24 ) endif; (25 )endif; Upon receive(gossip message,gossip,ttl) sent by p j: do (26 )if (authenticate-signature(gossip message) = TRUE) then (27 ) if (there is no message that fits the gossip message) then (28 ) MUTE.expect(gossip message.header,p j,any); (29 ) if (p j is not originator of message that fits the gossip message) then (3 ) /* The node asks from the node that sent the gossip message and from overlay nodes to */ (31 ) /* send the real message */ ; (32 ) broadcast(gossip message,request MSG,ttl=1,p j); (33 ) endif; (34 ) else /* the message that fits the gossip message was received */ ; (35 ) if (gossip message have not been sent yet) then (36 ) lazycast(gossip message,gossip,ttl=1); (37 ) endif; (38 ) endif; (39 )else/* the message is not correct */; (4 ) TRUST.suspect(p j, bad signature reason ); (41 )endif; Figure 3: Byzantine Dissemination Algorithm 8
10 Upon receive(missing message,request MSG,ttl,p k ) sent by p j do (42 )if (authenticate-signature(missing message) = TRUE) then (43 ) if (current node OV ERLAY or current node = p k ) then (44 ) if (message that matches missing message was received) then (45 ) if (current node OV ERLAY ) then (46 ) VERBOSE.indict(p j); (47 ) endif; (48 ) broadcast(message,data,ttl=1,p j); (49 ) else /* the message that fits the gossip message was not received */; (5 ) if (p j is not originator of the message that matches missing message) then (51 ) if (current node OV ERLAY ) then (52 ) broadcast(missing message,find MISSING MSG,2,p k ); (53 ) endif; (54 ) else (55 ) VERBOSE.indict(p j); (56 ) endif; (57 ) endif; (58 ) endif; (59 )else/* the message is not correct */; (6 ) TRUST.suspect(p j, bad signature reason ); (61 )endif; Upon receive(missing message,find MISSING MSG,ttl,p k ) sent by p j do (62 )if (authenticate-signature(missing message) = TRUE) then (63 ) if ( message that matches missing message was not received) then (64 ) if (ttl = 2) then (65 ) broadcast(missing message,find MISSING MSG,ttl-1); (66 ) endif; (67 ) else /*message that matches missing message was received)*/ (68 ) if(current node OV ERLAY or current node = p k ) then (69 ) if (p j N(1, current node)) then (7 ) if(current node OV ERLAY ) then (71 ) VERBOSE.indict(p j); (72 ) endif; (73 ) broadcast(message,data,1); (74 ) else (75 ) broadcast(message,data,2); (76 ) endif; (77 ) endif; (78 ) endif; (79 )else/* the message is not correct */; (8 ) TRUST.suspect(p j, bad signature reason ); (81 )endif; Figure 4: Byzantine Dissemination Algorithm continued 9
11 2. When p receives a gossip header(m) for a message m it has not received, p asks its overlay neighbors and the sender q of the gossip to forward m to it using a REQUEST MSG message. p also instructs its MUTE failure detector to expect a transmission of m by q. Intuitively, since q gossiped about m, it should have m and supply it when needed. If q gossips about messages that do not exist or q does not want to supply them, it will be suspected. 3. When an overlay node p receives a REQUEST MSG for the same message m too many times from the same node q, it causes p s VERBOSE failure detector to suspect q. 4. When an overlay node p receives a REQUEST MSG for the message m, yet p has not received m, then p sends a FIND MISSING MSG message to nodes in OL(2, p) asking them to retransmit m. (The message is sent to overlay nodes at distance 2 in order to bypass a potential neighboring Byzantine node.) Intuitively, if p receives a REQUEST MSG from q for a message m, and p does not have m, then it means that some neighbor r of q has gossiped header(m) to q. Therefore, at least one node in N(1, q) has m. Since real messages are broadcasted by the overlay nodes faster than the gossips on these messages, it means that m is missing and therefore p asks nodes in OL(2, p) to retransmit m. 5. When an overlay node p receives a FIND MISSING MSG message for m from a node q and p has m, then p first broadcast m to q. If q N(1, p), then p notifies its VERBOSE failure detector about it. Intuitively, if q is p s neighbor and p is an overlay node that has m, then p has broadcasted m to its neighbors and therefore q should have m. 6. When a non-overlay node p receives a FIND MISSING MSG message for m (it gossiped about) from a node q, p broadcasts m to q. 3.3 Overlay Maintenance Overlay maintenance is executed by a distributed protocol. There is no global knowledge and each node must decide whether it considers itself an overlay node or not. Thus, the collection of overlay nodes is simply the set of all nodes that consider themselves as such. At the same time, every correct overlay node periodically publishes this fact to its neighbors, so in particular, each overlay node eventually knows about all its correct overlay neighbors. The goal of the protocol is to ensure that indeed the overlay can serve as a good backbone for dissemination of messages. This means that eventually between every pair of correct nodes p and q there will be a path consisting of overlay nodes that do not exhibit externally visible Byzantine behavior. At the same time, for efficiency reasons, the overlay should consist of as few nodes as possible. For scalability and resiliency reasons, we are interested in a self-stabilizing distributed algorithm in which every node decides whether it participates in the overlay based only on the knowledge of its neighbors. Recall that the neighbors of p are the nodes that appear in the transmission disk of p. Thus, p can communicate directly with them and every message p sends is received by all of them. In order to enable nodes to decide locally if they should become overlay nodes, we need some deterministic symmetry breaking rule. In this paper we utilize the overlay maintenance protocols of [21]. The work of [21] defined the goodness number as a generic function that associates each node with a value taken from some ordered domain. The goodness number represents the node s appropriateness to serve in the overlay. This way, it is possible to compare any two nodes using their goodness number and to prefer to elect the one whose value is highest to the overlay. Since in a Byzantine environment nodes can lie about their goodness 1
12 number, this becomes a useless criterion. Thus, we replace the notion of a goodness number with the nodes id (which is unforgeable, by assumption). Each node has a local status, which can be either active or passive; active means that the node is in the overlay whereas passive means that it is not. The local state of each node includes a status (active or passive), and its knowledge of the local states of all its neighbors (based on the last local state they reported to it). Additionally every node p maintains a variable overlay trust for each of its neighbors q, which can be either trusted, untrusted or unknown; untrusted means that the TRUST failure detector of p suspects q, unknown means that the TRUST failure detector of p does not suspect q but another neighbor of p that p trusts reported to p that it suspects q, and trusted means that p has no reason to suspect q. Also, p records for each neighbor the list of its active neighbors. We assume that overlay maintenance messages are signed as well. In order to ensure the appropriateness of the overlay, we need to verify that the overlay includes alternatives to each detected mute or verbose node. Ideally, we would like to eliminate these nodes from the overlay, but as they are Byzantine, they may continue to consider themselves as overlay nodes. Thus, the best we can do is make sure that there is an alternative path in the overlay that does not pass through such nodes, and that correct nodes do not consider mute and verbose nodes as their overlay neighbors. The protocol for deciding if a node should be in the overlay consists of computation steps that are taken periodically and repeatedly by each node. In each computation step, each node makes a local computation about whether it thinks it should be in the overlay or not, and then exchanges its local information with its neighbors. For simplicity, we concentrate below on the local computation steps only. Additionally, if a node p receives a message from its neighbor q in which q reports that it suspects a node r, then p changes r s overlay trust to unknown, unless p already suspects either q or r. This is done because a Byzantine node might be suspected only by some of its neighbors. Therefore, a node that suspects one of its neighbors should notify its other neighbors about this suspicion in order to preserve connectivity of correct nodes in the overlay. Note that a Byzantine node may abuse this and cause its correct neighbors to join the overlay. In other words, a Byzantine node can cause correct nodes to unnecessarily join the overlay, but it cannot destroy the connectivity of the overlay w.r.t. correct nodes. Our goal is to ensure that a node elects itself to the overlay if it has the highest identifier among its trusted neighbors. Below, we mention a couple of overlay maintenance protocols that realize this intuition (by making the goodness number of a node be its identifier). Specifically, we have implemented two overlay maintenance protocols, namely the Connected Dominating Set (CDS) and the Maximal Independent Set with Bridges (MIS+B) of [21], augmented with trust levels (i.e., the overlay trust variable). 6 Since other than adding the trust level, the protocols are the same as in [21], we do not repeat them here. 3.4 Correctness Proof Let us remind the reader that in Section 2.1 we assumed that there are enough correct nodes so that non- Byzantine nodes form a connected graph. With this assumption, we prove the following validity and eventual dissemination properties. We present proofs only for MUTE failure detector, since the proofs for TRUST and VERBOSE failure detectors are trivial. For this, we first introduce a few definitions. 1. gossip timeout - the time between two consecutive gossip messages by a correct node. 2. request timeout - the time between receiving a gossip message and sending a request message. 6 The CDS and MIS+B protocols in [21] are in fact self-stabilizing generalizations of the work of [48]. 11
13 3. rebroadcast timeout - the time between getting a request message and sending the message that fits the requested message. Technion - Computer Science Department - Technical Report CS β - transmission time (the latency that takes a message to arrive to the receiver) 5. δ - the number of new messages that are injected to the network every second. 6. max timeout = gossip timeout + request timeout + rebroadcast timeout + 3 beta In the following, a pair of nodes p and q are well connected at time t if both are correct and p N(1, q) and q N(1, p) during the time interval [t, t + max timeout]. We denote this relation by W C(p, q, t). In order to ensure dissemination of messages, we assume the following: starting with some time t, for every t > t, the graph induced by all pairs of well connected nodes at time t is connected, and this graph includes all correct nodes in the network. 7 This can be seen as a refinement of the similar requirement in [15] to mobile ad-hoc networks. Theorem 3.1 The protocol satisfies the validity property. Proof: According to the protocol, the originator of a message m adds a signature sig(m) and then disseminates the message m sig(m) to other nodes. Note that on receiving of m sig(m), every correct node checks if sig(m) corresponds to m before the node accepts m. As a part of the model s basic assumptions, a Byzantine node cannot forge signatures. Therefore, no correct node will accept a message other than m as if it was m. Moreover, according to the protocol, correct nodes filter duplicates of messages they have already received. Theorem 3.2 The protocol satisfies the eventual dissemination property. Proof: We show that a message m that is sent infinitely often by a correct originator p is disseminated to all the correct nodes. Assume, by way of contradiction, that there is a message m that is not received by some correct process. Let k be the smallest number such that there exists a correct node q N(k, p) that does not receive m. Recall that by assumption, during every time interval all the well connected nodes form a connected graph that includes all correct nodes. Therefore there exists a correct node l N(k 1, p) such that the distance between q and l is smaller than r l and l received m. According to the protocol, l will send a gossip about m to its neighbors and if requested by its neighbors, l will also send m. Thus, q will receive m either from its overlay node or from l. This is a contradiction to the assumption about the minimality of k Protocol Analysis In this section we compute a bound on the time required to disseminate a message to all the nodes and present a limit on the size of buffers that every node must maintain to successfully disseminate all the messages. In order to provide a bound on the dissemination time we assume that messages do not collide. 7 One can weaken this requirement by saying that starting with some time t, there are infinite times for which the graph induced by all pairs of well connected nodes is connected, and this graph includes all correct nodes in the network. The price of it will be that the dissemination time of message to all the nodes will grow proportionally to the durations in which this graph is not connected. 12
14 s B B B B Technion - Computer Science Department - Technical Report CS The Dissemination Time: received m by time t. Figure 5: Byzantine overlay In the following, CR(m, t) refers to the number of correct processes that Lemma 3.3 Let m be a message sent by some correct process p. Let t 1 be the time in which the first correct process received m. Let t 2 be the time in which the last correct process received m. During the interval [t 1, t 2 ], for all t 3, t 4 such that t 2 t 4 > t 3 t 1 and (t 4 - t 3 ) max timeout, CR(m,t 4 ) > CR(m, t 3 ). Proof: Assume by way of contradiction that the lemma does not hold. Therefore, there are two neighboring nodes u and q such that q received the message m at time t and u does not receive m by time t + max timeout. Recall our assumption that the graph induced by well connected nodes is connected and includes all correct nodes. After getting the gossip that fits the correct message m (that q received before), q broadcasts the gossip to its neighbors after at most gossip timeout seconds. If its neighbors do not have it, they send a request message after at most request timeout seconds and then after at most rebroadcast timeout seconds q broadcasts the message to its neighbors. Therefore, after at most max timeout seconds the message will be disseminated to u. A contradiction. Theorem 3.4 Let m be a message sent by some correct process p at time t. Then all correct nodes will receive m by time t + max timeout (n 1). Proof: According to Lemma 3.3, every max timeout seconds at least one node (that has not received the message before) will get m. Since the graph of correct nodes is connected and the number of correct nodes is at most n, all correct nodes will receive message m after at most max timeout (n 1) seconds. The dissemination time depends on the mobility of nodes. If all nodes are static, each message will be disseminated to all the nodes in at most max timeout n 2 seconds, where n is the number of nodes. The explanation for this bound is as follows: According to Lemma 3.3, a node that has message m will broadcast it to its neighbors in at most max timeout seconds. In the worst case, as illustrated in Figure 5, all nodes that belong to the overlay are Byzantine and therefore all messages will be disseminated using the gossip-request mechanism. Due to the assumption that the graph of correct nodes is connected, the maximal number of hops in the network is n 2 hops (in every hop there is one Byzantine overlay node and one correct node). Therefore, the message should pass n 2 hops and it will take at most max timeout n 2 seconds. In mobile networks, each message will be disseminated to all the nodes according to Theorem 3.4 within max timeout (n 1) seconds. Buffers Size: The size of buffers that every node should have depends on the mobility of the nodes. If all the nodes do not move, every node has to hold every message for max timeout seconds, i.e., the time it takes to disseminate the message only to all its neighbors. Therefore, every node in a static network should have a buffer of size max timeout δ messages. In mobile networks, every message should be kept until all the nodes receive the message. As we showed, every message is disseminated to all the nodes within max timeout (n 1) seconds. Therefore, the buffer size of every node in mobile network should be max timeout (n 1) δ messages. 13
15 In the following sections, we show that the messages are propagated fast (via the overlay nodes) during certain periods if the failure detectors behave like eventually perfect failure detectors or like interval failure detectors Fast Dissemination with Eventually Perfect Failure Detectors In the following, we show that if the MUTE failure detector indeed belongs to P mute, then eventually messages are disseminated to all correct nodes by the overlay. The significance of this is that dissemination along overlay nodes is fast, since it need not wait for the periodic gossip mechanism. Lemma 3.5 Assume that the MUTE failure detector P mute. Then eventually the non-mute overlay nodes form a connected graph COL such that every correct node is either in COL, or within the transmission range of a non-mute node in COL. Proof: Eventually, P mute of all correct nodes will suspect all the mute nodes. Thus, the goodness number in the overlay maintenance protocol for mute nodes will be lower than all other nodes. Consequently, the overlay built by the maintenance protocol will have the desired property. Theorem 3.6 Eventually, when there are no collisions, most messages propagate to all the nodes via the overlay nodes, if the MUTE failure detector P mute. Proof: In Lemma 3.5, we showed that eventually, the non-mute nodes of the overlay form a connected graph that covers all non-mute nodes. Therefore, eventually, all messages are propagated by overlay nodes to all correct nodes, which proves the theorem Fast Dissemination with Interval Failure Detectors In this section we discuss the conditions under which our protocol implements I mute correctly. We show that, if the MUTE failure detector indeed belongs to I mute then during periods of good connectivity messages are disseminated to all correct nodes by the overlay. Observation 3.1 If suspicion interval f mute interval then there will be an interval CI i in which at least one overlay node in N i will be correct. We call CI i a correct interval for node i. Observation 3.2 There exists a suspicion interval such that there are CI 1, CI 2,... CI n for which CI 1 CI 2... CI n. Observation 3.3 In order to prevent false suspicions of the overlay nodes the mute interval of the I mute failure detector should be larger than (n 1) max timeout. Observation 3.4 If some correct node p decides that it is not in the overlay, then after some finite time all of its correct neighbors know that p / OV ERLAY. This immediately follows from the protocols that maintain the overlay. Let OL(p 1,p 2,t start,t end ) be a relation such that p 1 believes that p 2 OL(1,p 1 ) during interval [t start,t end ]. Lemma 3.7 Every Byzantine overlay node q that is mute w.r.t. another node p during an interval [t, t + mute interval] and satisfies OL(p,q,t,t+mute interval) will be suspected by p during suspicion interval. 14
16 Proof: Let q be a Byzantine overlay node that does not forward the message m. Let p be a correct node that satisfies OL(p,q,t,t+mute interval). We assume that q is not forwarding m to p during mute interval and we will show that q will be suspected during suspicion interval. According to Theorem 3.4, all correct nodes will receive m after at most max timeout (n 1) seconds. Therefore, according to the protocol, after receiving m, p will activate its MUTE failure detector and if q is not forwarding messages during mute interval, it will be suspected during suspicion interval by p. Lemma 3.8 Non-mute processes are not suspected by some correct process during suspicion f ree interval. Proof: A non-mute non-overlay node p cannot be suspected, since according to the protocol a non-overlay node can be suspected by the MUTE failure detector only if it is not forwarding a message m that it gossiped about. Since p is not mute, it will always forward the message m and therefore will not be suspected. According to Observation 3.4, if p leaves the overlay, then after some finite time that is smaller than mute interval all its correct neighbors believe that p / OV ERLAY. Therefore, p s neighbors will not expect p to broadcast messages and thus will not suspect it either. Similarly, a non-mute overlay node p also cannot be suspected. This is because according to the protocol, an overlay node can be suspected by the MUTE failure detector only if it is not forwarding a message m that it received from another overlay node or from the originator of m. Yet, since p is not mute, if p has m, it will always forward it. If p does not have the message m, p will send a FIND MISSING MSG message and it will receive the missing message m either from nodes that belong to N(2, p) or after at most max timeout (n 1) seconds (as we show in Theorem 3.4). Once p receives m, it will forward m to its neighboring nodes and therefore p will not be suspected since mute interval > (n 1) max timeout (according to Observation 3.3). Lemma 3.9 Assume that the MUTE failure detector I mute. Then there is an interval in which the nonmute overlay nodes form a connected graph such that every correct node is either in the overlay, or within the transmission range of a non-mute overlay node. Proof: Lemma 3.8 shows that non-mute nodes are not suspected and according to Lemma 3.7 there is an interval such that I mute of all correct nodes suspects all mute nodes. Thus, none of the mute nodes will be trusted. Consequently, the overlay built by the maintenance protocol will have the desired property. Theorem 3.1 If the MUTE failure detector I mute then there is an interval such that, when there are no collisions, most messages propagate to all the nodes via the overlay nodes. Proof: Lemma 3.7 shows that there is a certain interval when every mute overlay node is suspected. In Lemma 3.9, we showed that there is an interval such that the non-mute nodes of the overlay form a connected graph that covers all non-mute nodes. Therefore, during a certain interval, all messages are propagated by overlay nodes to all correct nodes, which proves the lemma. 4 Results We have measured the performance of our protocol using the SWANS/JIST simulator [1]. In the simulations, we have compared the performance of our protocol with the performance of flooding on one hand and 15
Parsimonious Asynchronous Byzantine-Fault-Tolerant Atomic Broadcast
Parsimonious Asynchronous Byzantine-Fault-Tolerant Atomic Broadcast HariGovind V. Ramasamy Christian Cachin August 19, 2005 Abstract Atomic broadcast is a communication primitive that allows a group of
More informationA Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm
Appears as Technical Memo MIT/LCS/TM-590, MIT Laboratory for Computer Science, June 1999 A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm Miguel Castro and Barbara Liskov
More informationManagement of Protocol State
Management of Protocol State Ibrahim Matta December 2012 1 Introduction These notes highlight the main issues related to synchronizing the data at both sender and receiver of a protocol. For example, in
More informationSemi-Passive Replication in the Presence of Byzantine Faults
Semi-Passive Replication in the Presence of Byzantine Faults HariGovind V. Ramasamy Adnan Agbaria William H. Sanders University of Illinois at Urbana-Champaign 1308 W. Main Street, Urbana IL 61801, USA
More informationSelf Stabilization. CS553 Distributed Algorithms Prof. Ajay Kshemkalyani. by Islam Ismailov & Mohamed M. Ali
Self Stabilization CS553 Distributed Algorithms Prof. Ajay Kshemkalyani by Islam Ismailov & Mohamed M. Ali Introduction There is a possibility for a distributed system to go into an illegitimate state,
More informationPractical Byzantine Fault Tolerance. Miguel Castro and Barbara Liskov
Practical Byzantine Fault Tolerance Miguel Castro and Barbara Liskov Outline 1. Introduction to Byzantine Fault Tolerance Problem 2. PBFT Algorithm a. Models and overview b. Three-phase protocol c. View-change
More informationChapter 8 Fault Tolerance
DISTRIBUTED SYSTEMS Principles and Paradigms Second Edition ANDREW S. TANENBAUM MAARTEN VAN STEEN Chapter 8 Fault Tolerance 1 Fault Tolerance Basic Concepts Being fault tolerant is strongly related to
More informationDistributed Computing over Communication Networks: Leader Election
Distributed Computing over Communication Networks: Leader Election Motivation Reasons for electing a leader? Reasons for not electing a leader? Motivation Reasons for electing a leader? Once elected, coordination
More informationIntuitive distributed algorithms. with F#
Intuitive distributed algorithms with F# Natallia Dzenisenka Alena Hall @nata_dzen @lenadroid A tour of a variety of intuitivedistributed algorithms used in practical distributed systems. and how to prototype
More information21. Distributed Algorithms
21. Distributed Algorithms We dene a distributed system as a collection of individual computing devices that can communicate with each other [2]. This denition is very broad, it includes anything, from
More informationByzantine Consensus in Directed Graphs
Byzantine Consensus in Directed Graphs Lewis Tseng 1,3, and Nitin Vaidya 2,3 1 Department of Computer Science, 2 Department of Electrical and Computer Engineering, and 3 Coordinated Science Laboratory
More informationSelf-stabilizing Byzantine Digital Clock Synchronization
Self-stabilizing Byzantine Digital Clock Synchronization Ezra N. Hoch, Danny Dolev and Ariel Daliot The Hebrew University of Jerusalem We present a scheme that achieves self-stabilizing Byzantine digital
More informationDistributed Systems Principles and Paradigms. Chapter 08: Fault Tolerance
Distributed Systems Principles and Paradigms Maarten van Steen VU Amsterdam, Dept. Computer Science Room R4.20, steen@cs.vu.nl Chapter 08: Fault Tolerance Version: December 2, 2010 2 / 65 Contents Chapter
More informationNetwork Layer: Routing
Network Layer: Routing The Problem A B R 1 R 2 R 4 R 3 Goal: for each destination, compute next hop 1 Lecture 9 2 Basic Assumptions Trivial solution: Flooding Dynamic environment: links and routers unreliable:
More informationOn the Composition of Authenticated Byzantine Agreement
On the Composition of Authenticated Byzantine Agreement Yehuda Lindell Anna Lysyanskaya Tal Rabin July 28, 2004 Abstract A fundamental problem of distributed computing is that of simulating a secure broadcast
More informationGATEWAY MULTIPOINT RELAYS AN MPR-BASED BROADCAST ALGORITHM FOR AD HOC NETWORKS. Ou Liang, Y. Ahmet Şekercioğlu, Nallasamy Mani
GATEWAY MULTIPOINT RELAYS AN MPR-BASED BROADCAST ALGORITHM FOR AD HOC NETWORKS Ou Liang, Y. Ahmet Şekercioğlu, Nallasamy Mani Centre for Telecommunication and Information Engineering Monash University,
More informationConsensus and related problems
Consensus and related problems Today l Consensus l Google s Chubby l Paxos for Chubby Consensus and failures How to make process agree on a value after one or more have proposed what the value should be?
More informationNetwork Routing - II Failures, Recovery, and Change
MIT 6.02 DRAFT Lecture Notes Spring 2009 (Last update: April 27, 2009) Comments, questions or bug reports? Please contact Hari Balakrishnan (hari@mit.edu) or 6.02-staff@mit.edu LECTURE 21 Network Routing
More informationFault Tolerance. Basic Concepts
COP 6611 Advanced Operating System Fault Tolerance Chi Zhang czhang@cs.fiu.edu Dependability Includes Availability Run time / total time Basic Concepts Reliability The length of uninterrupted run time
More informationRouting Protocols in MANETs
Chapter 4 Routing Protocols in MANETs 4.1 Introduction The main aim of any Ad Hoc network routing protocol is to meet the challenges of the dynamically changing topology and establish a correct and an
More informationCSE 486/586 Distributed Systems
CSE 486/586 Distributed Systems Failure Detectors Slides by: Steve Ko Computer Sciences and Engineering University at Buffalo Administrivia Programming Assignment 2 is out Please continue to monitor Piazza
More informationFault-Tolerance & Paxos
Chapter 15 Fault-Tolerance & Paxos How do you create a fault-tolerant distributed system? In this chapter we start out with simple questions, and, step by step, improve our solutions until we arrive at
More informationBroadcasting Techniques for Mobile Ad Hoc Networks
Broadcasting Techniques for Mobile Ad Hoc Networks Broadcasting: It is the process in which one node sends a packet to all other nodes in the network. 1 Usefulness of broadcasting Broadcasting of net-wide
More informationIN a mobile ad hoc network, nodes move arbitrarily.
IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 5, NO. 6, JUNE 2006 609 Distributed Cache Updating for the Dynamic Source Routing Protocol Xin Yu Abstract On-demand routing protocols use route caches to make
More informationACONCURRENT system may be viewed as a collection of
252 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 10, NO. 3, MARCH 1999 Constructing a Reliable Test&Set Bit Frank Stomp and Gadi Taubenfeld AbstractÐThe problem of computing with faulty
More informationDistributed Systems (ICE 601) Fault Tolerance
Distributed Systems (ICE 601) Fault Tolerance Dongman Lee ICU Introduction Failure Model Fault Tolerance Models state machine primary-backup Class Overview Introduction Dependability availability reliability
More informationUsing Hybrid Algorithm in Wireless Ad-Hoc Networks: Reducing the Number of Transmissions
Using Hybrid Algorithm in Wireless Ad-Hoc Networks: Reducing the Number of Transmissions R.Thamaraiselvan 1, S.Gopikrishnan 2, V.Pavithra Devi 3 PG Student, Computer Science & Engineering, Paavai College
More informationResearch Report. (Im)Possibilities of Predicate Detection in Crash-Affected Systems. RZ 3361 (# 93407) 20/08/2001 Computer Science 27 pages
RZ 3361 (# 93407) 20/08/2001 Computer Science 27 pages Research Report (Im)Possibilities of Predicate Detection in Crash-Affected Systems Felix C. Gärtner and Stefan Pleisch Department of Computer Science
More informationInitial Assumptions. Modern Distributed Computing. Network Topology. Initial Input
Initial Assumptions Modern Distributed Computing Theory and Applications Ioannis Chatzigiannakis Sapienza University of Rome Lecture 4 Tuesday, March 6, 03 Exercises correspond to problems studied during
More informationAODV-PA: AODV with Path Accumulation
-PA: with Path Accumulation Sumit Gwalani Elizabeth M. Belding-Royer Department of Computer Science University of California, Santa Barbara fsumitg, ebeldingg@cs.ucsb.edu Charles E. Perkins Communications
More informationTHE TRANSPORT LAYER UNIT IV
THE TRANSPORT LAYER UNIT IV The Transport Layer: The Transport Service, Elements of Transport Protocols, Congestion Control,The internet transport protocols: UDP, TCP, Performance problems in computer
More informationConsensus in the Presence of Partial Synchrony
Consensus in the Presence of Partial Synchrony CYNTHIA DWORK AND NANCY LYNCH.Massachusetts Institute of Technology, Cambridge, Massachusetts AND LARRY STOCKMEYER IBM Almaden Research Center, San Jose,
More informationDraft Notes 1 : Scaling in Ad hoc Routing Protocols
Draft Notes 1 : Scaling in Ad hoc Routing Protocols Timothy X Brown University of Colorado April 2, 2008 2 Introduction What is the best network wireless network routing protocol? This question is a function
More informationCHAPTER 5 PROPAGATION DELAY
98 CHAPTER 5 PROPAGATION DELAY Underwater wireless sensor networks deployed of sensor nodes with sensing, forwarding and processing abilities that operate in underwater. In this environment brought challenges,
More informationIncompatibility Dimensions and Integration of Atomic Commit Protocols
The International Arab Journal of Information Technology, Vol. 5, No. 4, October 2008 381 Incompatibility Dimensions and Integration of Atomic Commit Protocols Yousef Al-Houmaily Department of Computer
More informationCapacity of Byzantine Agreement: Complete Characterization of Four-Node Networks
Capacity of Byzantine Agreement: Complete Characterization of Four-Node Networks Guanfeng Liang and Nitin Vaidya Department of Electrical and Computer Engineering, and Coordinated Science Laboratory University
More informationThe Encoding Complexity of Network Coding
The Encoding Complexity of Network Coding Michael Langberg Alexander Sprintson Jehoshua Bruck California Institute of Technology Email: mikel,spalex,bruck @caltech.edu Abstract In the multicast network
More informationConsensus, impossibility results and Paxos. Ken Birman
Consensus, impossibility results and Paxos Ken Birman Consensus a classic problem Consensus abstraction underlies many distributed systems and protocols N processes They start execution with inputs {0,1}
More informationCHAPTER 5 AN AODV-BASED CLUSTERING APPROACH FOR EFFICIENT ROUTING
99 CHAPTER 5 AN AODV-BASED CLUSTERING APPROACH FOR EFFICIENT ROUTING 5.1 INTRODUCTION Dynamic network topology and limited system resources characterize mobile ad hoc networking. Many routing protocols
More informationFault Tolerance Part II. CS403/534 Distributed Systems Erkay Savas Sabanci University
Fault Tolerance Part II CS403/534 Distributed Systems Erkay Savas Sabanci University 1 Reliable Group Communication Reliable multicasting: A message that is sent to a process group should be delivered
More informationMODELS OF DISTRIBUTED SYSTEMS
Distributed Systems Fö 2/3-1 Distributed Systems Fö 2/3-2 MODELS OF DISTRIBUTED SYSTEMS Basic Elements 1. Architectural Models 2. Interaction Models Resources in a distributed system are shared between
More informationWireless MACs: MACAW/802.11
Wireless MACs: MACAW/802.11 Mark Handley UCL Computer Science CS 3035/GZ01 Fundamentals: Spectrum and Capacity A particular radio transmits over some range of frequencies; its bandwidth, in the physical
More information13 Sensor networks Gathering in an adversarial environment
13 Sensor networks Wireless sensor systems have a broad range of civil and military applications such as controlling inventory in a warehouse or office complex, monitoring and disseminating traffic conditions,
More informationLixia Zhang M. I. T. Laboratory for Computer Science December 1985
Network Working Group Request for Comments: 969 David D. Clark Mark L. Lambert Lixia Zhang M. I. T. Laboratory for Computer Science December 1985 1. STATUS OF THIS MEMO This RFC suggests a proposed protocol
More informationWireless Mesh Networks
Wireless Mesh Networks COS 463: Wireless Networks Lecture 6 Kyle Jamieson [Parts adapted from I. F. Akyildiz, B. Karp] Wireless Mesh Networks Describes wireless networks in which each node can communicate
More informationSystem Models. 2.1 Introduction 2.2 Architectural Models 2.3 Fundamental Models. Nicola Dragoni Embedded Systems Engineering DTU Informatics
System Models Nicola Dragoni Embedded Systems Engineering DTU Informatics 2.1 Introduction 2.2 Architectural Models 2.3 Fundamental Models Architectural vs Fundamental Models Systems that are intended
More informationFair exchange and non-repudiation protocols
Fair exchange and non-repudiation protocols Levente Buttyán Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics buttyan@crysys.hu 2010 Levente Buttyán
More informationConsensus Problem. Pradipta De
Consensus Problem Slides are based on the book chapter from Distributed Computing: Principles, Paradigms and Algorithms (Chapter 14) by Kshemkalyani and Singhal Pradipta De pradipta.de@sunykorea.ac.kr
More informationDistributed minimum spanning tree problem
Distributed minimum spanning tree problem Juho-Kustaa Kangas 24th November 2012 Abstract Given a connected weighted undirected graph, the minimum spanning tree problem asks for a spanning subtree with
More informationKey-value store with eventual consistency without trusting individual nodes
basementdb Key-value store with eventual consistency without trusting individual nodes https://github.com/spferical/basementdb 1. Abstract basementdb is an eventually-consistent key-value store, composed
More informationDistributed Systems Fault Tolerance
Distributed Systems Fault Tolerance [] Fault Tolerance. Basic concepts - terminology. Process resilience groups and failure masking 3. Reliable communication reliable client-server communication reliable
More informationOccasionally, a network or a gateway will go down, and the sequence. of hops which the packet takes from source to destination must change.
RFC: 816 FAULT ISOLATION AND RECOVERY David D. Clark MIT Laboratory for Computer Science Computer Systems and Communications Group July, 1982 1. Introduction Occasionally, a network or a gateway will go
More informationECE 333: Introduction to Communication Networks Fall 2001
ECE : Introduction to Communication Networks Fall 00 Lecture : Routing and Addressing I Introduction to Routing/Addressing Lectures 9- described the main components of point-to-point networks, i.e. multiplexed
More informationMODELS OF DISTRIBUTED SYSTEMS
Distributed Systems Fö 2/3-1 Distributed Systems Fö 2/3-2 MODELS OF DISTRIBUTED SYSTEMS Basic Elements 1. Architectural Models 2. Interaction Models Resources in a distributed system are shared between
More informationDistributed Systems COMP 212. Lecture 19 Othon Michail
Distributed Systems COMP 212 Lecture 19 Othon Michail Fault Tolerance 2/31 What is a Distributed System? 3/31 Distributed vs Single-machine Systems A key difference: partial failures One component fails
More informationConsensus a classic problem. Consensus, impossibility results and Paxos. Distributed Consensus. Asynchronous networks.
Consensus, impossibility results and Paxos Ken Birman Consensus a classic problem Consensus abstraction underlies many distributed systems and protocols N processes They start execution with inputs {0,1}
More informationInst: Chris Davison
ICS 153 Introduction to Computer Networks Inst: Chris Davison cbdaviso@uci.edu ICS 153 Data Link Layer Contents Simplex and Duplex Communication Frame Creation Flow Control Error Control Performance of
More informationFork Sequential Consistency is Blocking
Fork Sequential Consistency is Blocking Christian Cachin Idit Keidar Alexander Shraer May 14, 2008 Abstract We consider an untrusted server storing shared data on behalf of clients. We show that no storage
More informationChapter 5 (Week 9) The Network Layer ANDREW S. TANENBAUM COMPUTER NETWORKS FOURTH EDITION PP BLM431 Computer Networks Dr.
Chapter 5 (Week 9) The Network Layer ANDREW S. TANENBAUM COMPUTER NETWORKS FOURTH EDITION PP. 343-396 1 5.1. NETWORK LAYER DESIGN ISSUES 5.2. ROUTING ALGORITHMS 5.3. CONGESTION CONTROL ALGORITHMS 5.4.
More informationCS505: Distributed Systems
Cristina Nita-Rotaru CS505: Distributed Systems Protocols. Slides prepared based on material by Prof. Ken Birman at Cornell University, available at http://www.cs.cornell.edu/ken/book/ Required reading
More informationCC-SCTP: Chunk Checksum of SCTP for Enhancement of Throughput in Wireless Network Environments
CC-SCTP: Chunk Checksum of SCTP for Enhancement of Throughput in Wireless Network Environments Stream Control Transmission Protocol (SCTP) uses the 32-bit checksum in the common header, by which a corrupted
More informationNETWORK coding is an area that has emerged in 2000 [1],
450 IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 16, NO. 2, APRIL 2008 Efficient Broadcasting Using Network Coding Christina Fragouli, Jörg Widmer, and Jean-Yves Le Boudec, Fellow, IEEE Abstract We consider
More informationWSN Routing Protocols
WSN Routing Protocols 1 Routing Challenges and Design Issues in WSNs 2 Overview The design of routing protocols in WSNs is influenced by many challenging factors. These factors must be overcome before
More information3DLS: Density-Driven Data Location Service for Mobile Ad-Hoc Networks
: Density-Driven Data Location Service for Mobile Ad-Hoc Networks Roy Friedman Noam Mori Computer Science Department Technion - Israel Institute of Technology Haifa, 32 Israel Email:{roy,noam}@cs.technion.ac.il
More informationADHOC SYSTEMSS ABSTRACT. the system. The diagnosis strategy. is an initiator of. can in the hierarchy. paper include. this. than.
Journal of Theoretical and Applied Information Technology 2005-2007 JATIT. All rights reserved. www.jatit.org A HIERARCHICAL APPROACH TO FAULT DIAGNOSIS IN LARGE S CALE SELF-DIAGNOSABLE WIRELESS ADHOC
More informationC 1. Recap. CSE 486/586 Distributed Systems Failure Detectors. Today s Question. Two Different System Models. Why, What, and How.
Recap Best Practices Distributed Systems Failure Detectors Steve Ko Computer Sciences and Engineering University at Buffalo 2 Today s Question Two Different System Models How do we handle failures? Cannot
More informationAdapting Commit Protocols for Large-Scale and Dynamic Distributed Applications
Adapting Commit Protocols for Large-Scale and Dynamic Distributed Applications Pawel Jurczyk and Li Xiong Emory University, Atlanta GA 30322, USA {pjurczy,lxiong}@emory.edu Abstract. The continued advances
More informationCS5412: CONSENSUS AND THE FLP IMPOSSIBILITY RESULT
1 CS5412: CONSENSUS AND THE FLP IMPOSSIBILITY RESULT Lecture XII Ken Birman Generalizing Ron and Hermione s challenge 2 Recall from last time: Ron and Hermione had difficulty agreeing where to meet for
More informationInterface The exit interface a packet will take when destined for a specific network.
The Network Layer The Network layer (also called layer 3) manages device addressing, tracks the location of devices on the network, and determines the best way to move data, which means that the Network
More informationFork Sequential Consistency is Blocking
Fork Sequential Consistency is Blocking Christian Cachin Idit Keidar Alexander Shraer Novembe4, 008 Abstract We consider an untrusted server storing shared data on behalf of clients. We show that no storage
More informationThwarting Traceback Attack on Freenet
Thwarting Traceback Attack on Freenet Guanyu Tian, Zhenhai Duan Florida State University {tian, duan}@cs.fsu.edu Todd Baumeister, Yingfei Dong University of Hawaii {baumeist, yingfei}@hawaii.edu Abstract
More informationRouting. Information Networks p.1/35
Routing Routing is done by the network layer protocol to guide packets through the communication subnet to their destinations The time when routing decisions are made depends on whether we are using virtual
More informationFault Tolerance. Distributed Systems. September 2002
Fault Tolerance Distributed Systems September 2002 Basics A component provides services to clients. To provide services, the component may require the services from other components a component may depend
More informationDistributed systems. Lecture 6: distributed transactions, elections, consensus and replication. Malte Schwarzkopf
Distributed systems Lecture 6: distributed transactions, elections, consensus and replication Malte Schwarzkopf Last time Saw how we can build ordered multicast Messages between processes in a group Need
More informationThere are 10 questions in total. Please write your SID on each page.
Name: SID: Department of EECS - University of California at Berkeley EECS122 - Introduction to Communication Networks - Spring 2005 to the Final: 5/20/2005 There are 10 questions in total. Please write
More informationAssignment 12: Commit Protocols and Replication Solution
Data Modelling and Databases Exercise dates: May 24 / May 25, 2018 Ce Zhang, Gustavo Alonso Last update: June 04, 2018 Spring Semester 2018 Head TA: Ingo Müller Assignment 12: Commit Protocols and Replication
More informationDistributed Systems. 09. State Machine Replication & Virtual Synchrony. Paul Krzyzanowski. Rutgers University. Fall Paul Krzyzanowski
Distributed Systems 09. State Machine Replication & Virtual Synchrony Paul Krzyzanowski Rutgers University Fall 2016 1 State machine replication 2 State machine replication We want high scalability and
More informationBUFFER management is a significant component
1 Stepwise Fair-Share Buffering for Gossip-Based Peer-to-Peer Data Dissemination Oznur Ozkasap, Mine Caglar, Emrah Cem, Emrah Ahi, and Emre Iskender Abstract We consider buffer management in support of
More informationGIAN Course on Distributed Network Algorithms. Spanning Tree Constructions
GIAN Course on Distributed Network Algorithms Spanning Tree Constructions Stefan Schmid @ T-Labs, 2011 Spanning Trees Attactive infrastructure : sparse subgraph ( loop-free backbone ) connecting all nodes.
More informationExclusion-Freeness in Multi-party Exchange Protocols
Exclusion-Freeness in Multi-party Exchange Protocols Nicolás González-Deleito and Olivier Markowitch Université Libre de Bruxelles Bd. du Triomphe CP212 1050 Bruxelles Belgium {ngonzale,omarkow}@ulb.ac.be
More informationBYZANTINE AGREEMENT CH / $ IEEE. by H. R. Strong and D. Dolev. IBM Research Laboratory, K55/281 San Jose, CA 95193
BYZANTINE AGREEMENT by H. R. Strong and D. Dolev IBM Research Laboratory, K55/281 San Jose, CA 95193 ABSTRACT Byzantine Agreement is a paradigm for problems of reliable consistency and synchronization
More informationCS 5520/ECE 5590NA: Network Architecture I Spring Lecture 13: UDP and TCP
CS 5520/ECE 5590NA: Network Architecture I Spring 2008 Lecture 13: UDP and TCP Most recent lectures discussed mechanisms to make better use of the IP address space, Internet control messages, and layering
More informationSEAR: SECURED ENERGY-AWARE ROUTING WITH TRUSTED PAYMENT MODEL FOR WIRELESS NETWORKS
SEAR: SECURED ENERGY-AWARE ROUTING WITH TRUSTED PAYMENT MODEL FOR WIRELESS NETWORKS S. P. Manikandan 1, R. Manimegalai 2 and S. Kalimuthu 3 1 Department of Computer Science and Engineering, Sri Venkateshwara
More informationAd hoc and Sensor Networks Chapter 13a: Protocols for dependable data transport
Ad hoc and Sensor Networks Chapter 13a: Protocols for dependable data transport Holger Karl Computer Networks Group Universität Paderborn Overview Dependability requirements Delivering single packets Delivering
More informationFast Paxos. Leslie Lamport
Distrib. Comput. (2006) 19:79 103 DOI 10.1007/s00446-006-0005-x ORIGINAL ARTICLE Fast Paxos Leslie Lamport Received: 20 August 2005 / Accepted: 5 April 2006 / Published online: 8 July 2006 Springer-Verlag
More informationImpact of transmission errors on TCP performance. Outline. Random Errors
Impact of transmission errors on TCP performance 1 Outline Impact of transmission errors on TCP performance Approaches to improve TCP performance Classification Discussion of selected approaches 2 Random
More informationII. Principles of Computer Communications Network and Transport Layer
II. Principles of Computer Communications Network and Transport Layer A. Internet Protocol (IP) IPv4 Header An IP datagram consists of a header part and a text part. The header has a 20-byte fixed part
More informationEfficient Buffering in Reliable Multicast Protocols
Efficient Buffering in Reliable Multicast Protocols Oznur Ozkasap, Robbert van Renesse, Kenneth P. Birman, Zhen Xiao Dept. of Computer Science, Cornell University 4118 Upson Hall, Ithaca, NY 14853 {ozkasap,rvr,ken,xiao}@cs.cornell.edu
More informationWireless Network Security Spring 2015
Wireless Network Security Spring 2015 Patrick Tague Class #12 Forwarding Security 2015 Patrick Tague 1 SoW Presentation SoW Thursday in class I'll post a template Each team gets ~5-8 minutes Written SoW
More informationA family of optimal termination detection algorithms
Distrib. Comput. (2007) 20:141 162 DOI 10.1007/s00446-007-0031-3 A family of optimal termination detection algorithms Neeraj Mittal S. Venkatesan Sathya Peri Received: 28 January 2005 / Accepted: 20 April
More informationIntroduction to Distributed Systems Seif Haridi
Introduction to Distributed Systems Seif Haridi haridi@kth.se What is a distributed system? A set of nodes, connected by a network, which appear to its users as a single coherent system p1 p2. pn send
More informationConsul: A Communication Substrate for Fault-Tolerant Distributed Programs
Consul: A Communication Substrate for Fault-Tolerant Distributed Programs Shivakant Mishra, Larry L. Peterson, and Richard D. Schlichting Department of Computer Science The University of Arizona Tucson,
More informationOn the Max Coloring Problem
On the Max Coloring Problem Leah Epstein Asaf Levin May 22, 2010 Abstract We consider max coloring on hereditary graph classes. The problem is defined as follows. Given a graph G = (V, E) and positive
More informationCSE 5306 Distributed Systems. Fault Tolerance
CSE 5306 Distributed Systems Fault Tolerance 1 Failure in Distributed Systems Partial failure happens when one component of a distributed system fails often leaves other components unaffected A failure
More informationCoordination and Agreement
Coordination and Agreement Nicola Dragoni Embedded Systems Engineering DTU Informatics 1. Introduction 2. Distributed Mutual Exclusion 3. Elections 4. Multicast Communication 5. Consensus and related problems
More informationGenerating Fast Indulgent Algorithms
Generating Fast Indulgent Algorithms Dan Alistarh 1, Seth Gilbert 2, Rachid Guerraoui 1, and Corentin Travers 3 1 EPFL, Switzerland 2 National University of Singapore 3 Université de Bordeaux 1, France
More informationRouting in Ad Hoc Wireless Networks PROF. MICHAEL TSAI / DR. KATE LIN 2014/05/14
Routing in Ad Hoc Wireless Networks PROF. MICHAEL TSAI / DR. KATE LIN 2014/05/14 Routing Algorithms Link- State algorithm Each node maintains a view of the whole network topology Find the shortest path
More informationDistributed Algorithms 6.046J, Spring, Nancy Lynch
Distributed Algorithms 6.046J, Spring, 205 Nancy Lynch What are Distributed Algorithms? Algorithms that run on networked processors, or on multiprocessors that share memory. They solve many kinds of problems:
More informationPeer-to-peer systems and overlay networks
Complex Adaptive Systems C.d.L. Informatica Università di Bologna Peer-to-peer systems and overlay networks Fabio Picconi Dipartimento di Scienze dell Informazione 1 Outline Introduction to P2P systems
More informationMobile Ad hoc Networking (MANET) LIX, Ecole Polytechnique, France. Intended status: Standards Track
Page 1 of 64 Mobile Ad hoc Networking (MANET) Internet-Draft Intended status: Standards Track Expires: June 8, 2008 T. Clausen LIX, Ecole Polytechnique, France C. Dearlove BAE Systems Advanced Technology
More information